# {{output.header}}
# {{{output.link}}}
{{#unless (includes "old" form.config)}}
# note that Caddy automatically configures safe TLS settings
{{/unless}}

# replace example.com with your domain name
example.com
{{! This is a big of a kludge due to Caddy restrictions on TLS versions and cipher suites }}
{{#if (includes "old" form.config)}}

tls {
    protocols tls1.0 tls1.3
    ciphers ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-WITH-CHACHA20-POLY1305 ECDHE-RSA-WITH-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-CBC-SHA ECDHE-RSA-AES256-CBC-SHA ECDHE-RSA-AES128-CBC-SHA ECDHE-ECDSA-AES256-CBC-SHA RSA-AES128-CBC-SHA RSA-AES256-CBC-SHA RSA-3DES-EDE-CBC-SHA
}
{{/if}}
{{#if (includes "intermediate" form.config)}}

# Due to a lack of DHE support, you -must- use an ECDSA cert to support IE 11 on Windows 7
tls {
    protocols tls1.2 tls1.3
    ciphers ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-WITH-CHACHA20-POLY1305 ECDHE-RSA-WITH-CHACHA20-POLY1305
}
{{/if}}
{{#if (includes "modern" form.config)}}

tls {
    protocols tls1.3
}
{{/if}}
{{#if form.hsts}}

# HSTS ({{output.hstsMaxAge}} seconds)
header / Strict-Transport-Security "max-age={{output.hstsMaxAge}}"
{{/if}}